No subject


Thu Nov 23 16:34:03 EST 2017


alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (
msg:"ATTACK RESPONSES http dir listing"; content: "Volume Serial Number"; flags: A+;
classtype:bad-unknown; sid:1292; rev:1;)

is close to what I use for to help alert for 'vulnerable hosts' that
don't get also get to tftp a file.

pat = "<DIR>";
pat2 = "Directory of C";

is used in 

http://cvs.nessus.org/cgi-bin/cvsweb.cgi/~checkout~/nessus-plugins/scripts/iis_dir_traversal.nasl

Uses <DIR> because it was contant regardless of language settings
between countries.

I'm in US and it hard to get another windows language version.  What
are you seeing?

>> 
>> > btw. I'm security engineer at a large(?) ISP and snort has to analyse a
>> > continuous flow of 3Mbytes/s. So you can imagine that rules with too
>> > much false positives just aren't usefull to me.
>> 
>> What I do is mine out what I Don't want and only investigate a certain
>> subset.  It's not really setup to be tied to my pager though :>
> Well I defined some "code-reds" that are going to be tied to my gsm. :-)

Yeah I have those too. The CNET is the one I was complaing about for a
false alarm :)

Summary for those playing along at home:

Add some outgoing rules for exploit du jour that would mark them
differently than things going to HOME_NET.

How to cycle through what is du jour aside from doing all the rules is
a difficult.

Of course, several places I've talked to run IDS in reverse to just
see what they are doing to the outside world but that seems a bit
wasteful since we are already running.

-- 
Chris Green <cmg at ...26...>
You now have 14 minutes to reach minimum safe distance.




More information about the Snort-sigs mailing list